Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Chanmax ("Processor") and the Client ("Controller") for the provision of services. This DPA applies when Chanmax processes personal data on behalf of the Client in connection with our services. This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data (the Client).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (Chanmax).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.
• "Data Subject" means the individual to whom Personal Data relates.

Scope of processing

The Processor shall process Personal Data only:

• On documented instructions from the Controller
• To the extent necessary to provide the agreed services
• In accordance with applicable data protection laws

The specific categories of Personal Data, types of Data Subjects, and purposes of processing will be defined in the service agreement or project documentation.

Processor obligations

Chanmax, as the Processor, agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
• Delete or return all Personal Data upon termination of services, as directed by the Controller
• Make available information necessary to demonstrate compliance with this DPA

Security measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest where appropriate
• Access controls to limit access to Personal Data to authorized personnel
• Regular testing and evaluation of security measures
• Measures to ensure the ongoing confidentiality, integrity, and availability of systems
• Procedures for regular backup and recovery of data

Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall:

• Maintain a list of current Sub-processors, available upon request
• Notify the Controller of any intended changes to Sub-processors
• Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA
• Remain liable for the acts and omissions of Sub-processors

International data transfers

The Processor shall not transfer Personal Data to countries outside the European Economic Area (EEA) unless appropriate safeguards are in place, such as Standard Contractual Clauses, adequacy decisions, or other legally recognized transfer mechanisms. The Controller will be informed of any such transfers.

Data subject rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

Data breach notification

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay upon becoming aware of the breach
• Provide sufficient information to enable the Controller to meet any obligations to report the breach to supervisory authorities or Data Subjects
• Cooperate with the Controller in investigating and mitigating the breach
• Take reasonable steps to mitigate the effects and minimize any damage

Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall be conducted with reasonable notice and during normal business hours.

Term and termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination of services, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies unless applicable law requires storage of the Personal Data.

Liability

Each party shall be liable for damages caused by processing that infringes applicable data protection laws. The Processor shall be liable for damages caused by processing only where it has not complied with obligations specifically directed to Processors or where it has acted outside or contrary to the Controller's lawful instructions.

Contact us

For questions about this Data Processing Agreement or to request a signed copy, please contact us: